Cross Site Tracing aka XST is not very likely to become a threat nowadays with updated technology, as most modern browsers prevents all the known and common attack vectors.

[quote=MaXe]What is XST and can it be used for anything?

XST also known as Cross Site (Script) Tracing is a way of abusing the HTTP Trace (Debug) protocol. Anything that an attacker sends to a web-server that has TRACE enabled will send the same answer back. If an attacker sends the following:

The attacker will receive the same "Custom-header: <scr..." back allowing script execution. However after recent browser updates the following year(s) XST has been increasingly harder to control and execute properly.[/quote]

[quote=OWASP]Note: in order to understand the logic and the goals of this attack you need to be familiar with Cross Site Scripting attacks.

The TRACE method, while apparently harmless, can be successfully leveraged in some scenarios to steal legitimate users' credentials. This attack technique was discovered by Jeremiah Grossman in 2003, in an attempt to bypass the HTTPOnly tag that Microsoft introduced in Internet Explorer 6 sp1 to protect cookies from being accessed by JavaScript. As a matter of fact, one of the most recurring attack patterns in Cross Site Scripting is to access the document.cookie object and send it to a web server controlled by the attacker so that he/she can hijack the victim's session. Tagging a cookie as httpOnly forbids JavaScript to access it, protecting it from being sent to a third party. However, the TRACE method can be used to bypass this protection and access the cookie even in this scenario.

As mentioned before, TRACE simply returns any string that is sent to the web server. [/quote]

manoj9372 wrote:which we are sending will get executed on the web-server ? or just it is echoed back from the web-server with out being executed?

It's just like non-persistent XSS, except it isn't a GET or POST request, instead it's the TRACE protocol, which returns any headers sent to the server by default if enabled, as this is how the TRACE protocol is meant to work. (It is recommended to have it disabled anyway.)

In other words: No, the script is just echoed back from the server and is NOT stored.

It's just like non-persistent XSS, except it isn't a GET or POST request, instead it's the TRACE protocol, which returns any headers sent to the server by default if enabled, as this is how the TRACE protocol is meant to work. (It is recommended to have it disabled anyway.)

In other words: No, the script is just echoed back from the server and is NOT stored.